Login

Authentication Scripts for a User Management Application

In this article we will continue to discuss the application-wide scripts that we started to talk about in the last article. These special scripts are used by all the scripts and pages of the application. We will continue to look at the func.inc script that has several useful functions defined in it. This article is the third part of a nine-part series.

The func.inc script

This script is essentially an include file that contains helper functions, such as the one that uses regular expressions to check if a given email address is correctly formatted. The file contains at least four functions, which are listed below:

The first function checks to see if a given user has admin access. It takes one parameter, which is the user ID. It uses this id to run a query and check the user access level.

First, a query is defined:

function isadmin($id){

//run query to check if this user is admin

$sql = "SELECT level FROM users WHERE uid=’".$id."’";

Then the query is run using the mysql_query() function:

$res = mysql_query($sql);

Then a check is made to determine whether or not the query was successful, using the $res variable that contains the result of the query. If the result has a value, then it means that the user id is valid. In that case, the access level is retrieved:

if($res){

$row= mysql_fetch_assoc($res);

Next, the code checks the access level. If it is admin, then the function returns true:

if($row[‘level’] == ‘admin’){

return TRUE;

}else{

Otherwise it returns false:

return FALSE;

}

}

}

The next function is called the isAuthed() function. It is responsible for checking to see if a user is authenticated. It should be used on the very top of every page to ensure that anyone who accessed a particular page has the right to be there.

The function takes one parameter. It essentially works by checking to see if the session variable is set. In this case, it will be the username that is set when the user logs in. Below is the code:

function isAuthed($uname){

if(isset($uname)){

return TRUE;

}else{

return FALSE;

}

}

It can be used in the following way:

if(isauthed){

//user is authenticated, can view the page

}else{

//the user is not authenticated, redirect to login page

}

The function is very easy to understand. First it takes the given name and checks to see if it is set. If so, the function returns true

if(isset($uname)){

return TRUE;

}else{

Otherwise, the function returns false, which basically means that the username is not set; therefore, the user that is trying to access this particular page does not have the right to do so:

return FALSE;

The next function is called genpass(). It does not take any parameters. It is responsible for generating a random password. It will be used during the registration process, and features the following code:

Then it sets the $thepass to empty. This variable is going to be used to store the newly generated password, as you will see in a short while:

$thepass = ”;

Then we come to the heart of the function. A for loop is run and random characters stored in the $chars variable are added to the $thepass variable with each iteration until the count reaches seven:

for($i=0;$i<7;$i++)

{

$thepass .= $chars{rand() % 39};

}

Once the loop reaches seven, the function returns the newly generated password:

return $thepass;

}

The final function in the include file is responsible for checking to see if a given email address is correctly formatted. It takes one parameter, which is the email address, and then tests it using regular expressions. This function will be used by any script that requires the user to enter an email address. It has the following code:

function checkEmail($email){

if(eregi(‘^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+.[a-z]{2,8}$’,$email)){

return TRUE;

}else{

return FALSE;

}

}

It is used in the following way:

$Aemail = “jamespayne@webmail.com”;

if(checkEmail($Aemail)){

//Email address is correctly formatted do what ever

}else{

//set an error message

}

The function uses the eregi() function to find out if a given email address is correctly formatted:

if(eregi(‘^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+.[a-z]{2,8}$’,$email)){

Let’s break this line down. We know that an email address contains an [at] @ sign and that it contains a period [.] and three characters after the period. So in the regular expression above, the first half of the code before the at [@] sign checks to see if the email address contains letters, numbers and any other allowed characters:

^[[:alnum:]][a-z0-9_.-]*@

The next part of the line then checks to see if the email address contains the allowed three characters plus a period [.], which normally appears after the at [@] sign:

[a-z0-9.-]+.[a-z]

The final part of the check simply indicates that the final part of the email address before the period, but after the [@] sign can be anything between two and eight characters long; the {2,8} indicates this, and then the value that is to be checked is given (which in this case is $email):

{2,8}$’,$email))

If the email address evaluates to true, then the function returns true.

return TRUE;

Otherwise, it returns false:

return FALSE;

The last of the application-wide scripts is the global.php script. This script contains the database connection details and is made available to any script that needs to access the database. It has the following code:

<?php

session_start();

$host ="localhost";

$pw ="mypass";

$user = "myuser";

$dbname = "user";

$dbc=mysql_connect($host,$user,$pw) or die(mysql_error());

mysql_select_db($dbname) or die(mysql_error());

?>

The script is fairly easy to understand. It basically just fills some variables with the connection details that the database server requires to make a successful connection. At all stages of the connection attempt, an appropriate error message will be displayed if it occurs:

$dbc=mysql_connect($host,$user,$pw) or die(mysql_error());

mysql_select_db($dbname) or die(mysql_error());

{mospagebreak title=The logout script}

The logout script is responsible for ending a session that the user starts when he or she is logged in. It has the following code:

<?php

session_start();

if(isset($_SESSION[‘uname’])) {

session_unset();

session_destroy();

header("location:login.php" );

exit();

}

else{

if(!isset($_SESSION[‘uname’])) {

//the session variable isn’t registered, the user shouldn’t even be on this page

header("location:login.php" );

exit();

}

}

?>

It ends sessions in the following way. First, it checks to see if the username session variable is set after opening the session by calling the session_start() function:

<?php

session_start();

Then the username check is carried out:

if(isset($_SESSION[‘uname’])) {

Next, the session_unset() function is called. This function essentially resets the session array:

session_unset();

At this point, the session_destroy() functions are called to end the session:

session_destroy();

The session_destroy() function essentially removes the session data from the server, where it is stored in temporary files. Once the session has been destroyed, the user is redirected to the login page:

header("location:login.php" );

exit();

}

If the username session variable is not set, then the user is also redirected to the login page, since he or she does not have the right to be on the page in the first place:

else{

if(!isset($_SESSION[‘uname’])) {

//the session variable isn’t registered, the user shouldn’t even be on this page

header("location:login.php" );

exit();

}

}

?>

In the next article, we will take a close look at the login page and the script behind this essential function. See you next week!